How to Access npm Packages After Securing Nexus Repository Manager
This article addresses those who are using, or having interest in using, Nexus Repository Manager as their package manager for npm packages, Docker images, etc., but also for those who are curious about Nexus security.
Some time ago, I was called npm expert — just because I was the lucky one to get a ticket regarding security of our npm packages. After researching how to secure these packages, I had to find out how to access then the npm packages from Nexus — and why it does not always work as expected. I thought this guide would help fellow developers.
Why should I secure my Nexus Server?
Consider the following scenario: You are working in a very big company made of a lot of teams. Although you may think that your co-workers from different teams will do no harm to your project, would you still risk it? There should be no risk IF you don’t have any sensitive data. But what if you have middleware guarding the security of your APIs and they experience vulnerabilities?
Another reason to secure Nexus is because usually you have it for your own private projects — most probably won’t work for someone else’s project — they should not try to use them, nor should they be able to see these projects.
And one more point (the list, I think, can continue): although you can secure your repositories and the source code is not public between the whole company (private github / bitbucket repositories), having an internal URL is public for everyone. The Nexus server URL look something like this and it’s accessible from intranetwork.
https://nexus.intern.*subdomain*.*domain*.com
Unsecure Nexus on internal server
As you can see, we can browse all the npm packages on this server with some additional information, we (Read more...)
*** This is a Security Bloggers Network syndicated blog from Sonatype Blog authored by Daniel Pacurici. Read the original post at: https://blog.sonatype.com/how-to-access-npm-packages-after-securing-nexus
